web
You’re offline. This is a read only version of the page.
close
Skip to main content

Notifications

Announcements

No record found.

News and Announcements icon
Community site session details

Community site session details

Session Id :
Dynamics 365 Community / Forums / Microsoft Dynamics CRM (Archived) / Adding users from anot...
Microsoft Dynamics CRM (Archived)

Adding users from another forest in two-way forest transitive trust

(0) ShareShare
ReportReport
Posted on by Justin Dale 172

Hello,

We are buying out another company and as such we have set up a two way trust between the domains. Everything seems to work AD side permission wise when we do anything else (giving access to file shares, mostly) but CRM is one thing I can't figure out. I have added the CRMAppPool account from Forest A to the domain controller on Forest B to have "allowed to authenticate" but that didn't seem to do it. We're putting in domain.local\username and the lookup once we Tab out of that field is long but eventually times out and goes to the next field. I'm wondering what we need to do still to get this going? Or should we do this through ADFS (and how would that be accomplished? ADFS is working for Forest A currently)

*This post is locked for comments

I have the same question (0)
  • Community Member Profile Picture
    Community Member on at

    Try adding the domain users group from the forest you want to grant access to the security tab of your CRM AppPool account with Allowed to Authenticate checked.

  • Justin Dale Profile Picture
    Justin Dale 172 on at

    So I open the CRMAppPool account from Forest A in ADUC, then go to Security tab, add Domain Users group from Forest B, then check "Allowed to Authenticate" for that group? Doesn't that mean that the Domain Users can authenticate against CRMAppPool? At any rate, I did that and still having the same issue. I tried to go to Domain Users in Forest B, add CRMAppPool to the Security tab and add "Allowed to Authenticate" but that option isn't in the list.

  • Justin Dale Profile Picture
    Justin Dale 172 on at

    Still can't get it going. It did allow me to add domainb\user but it didn't populate any of their information, and when they try to log in ADFS gives them an error. What else can I try? The "Allowed to Authenticate" didn't seem to help.

  • Suggested answer
    Remon Profile Picture
    Remon 1,485 on at

    Hi Justin,

    You're talking about 2 things, a two-way trust and ADFS.

    If you already have ADFS up and running in Forest A (where CRM is installed) do you mean that CRM is configured with Claims Based Authentication (and IFD)?

    When you TAB out of the user field, there is an LDAP lookup against a domain.local (Forest B) domaincontroller. 

    One thing that you could try is manually enter firstname, lastname and save the record, if that works all is fine and the user can logon.

    If you have ADFS setup, and you trust for users is setup fine. you could add users using the UPN from forest B.

    For example: firstname.lastname@domain.local (forest B domain), type firstname and lastname and save the record.

    When a user logs on using forms based he/she can logon using their UPN and password fine.

    Let us know where you stand...

  • Justin Dale Profile Picture
    Justin Dale 172 on at

    As you know, ADFS was a requirement to have CBA with IFD in CRM. So that's running on Domain A where CRM is installed.

    I have tried just adding the username and after it 'times out' and lets me tab away, I put in the user info and save... but when they try to sign in they just get a generic ADFS error, nothing too specific.

    There was a problem accessing the site. Try to browse to the site again.

    If the problem persists, contact the administrator of this site and provide the reference number to identify the problem.

    Reference number: dcc7a20a-cafe-44b5-b1e5-f2e8d692d920

    We had to ADFS but not sure how to make ADFS work with Domain B as well. Might just need to do some reading.

    I figured at the very least a two way trust is required, so that ADFS can do the LDAP lookup and confirm the login when logging in. The trust would also be required so CRM can look up the user when creating new users. But it doesn't seem to help any

  • Suggested answer
    Remon Profile Picture
    Remon 1,485 on at

    Hi Justin,

    in your opening post you did not told us that you've configured CRM in forest A with CBA/IFD. ADFS is not something that is used by only CRM. So when you say ADFS is working in Forest A, doesn't mean it's used by CRM.

    You entered the username using DOMAIN\USERNAME, but you were able to save it.

    That sounds like it is saved, you can check if the user is added to the ReportingGroup in AD.

    CRM uses LDAP to query the user in Forest B and tries to get information about the user (firstname, lastname, email, etc..), that's where you get your time-out. you can enable tracing and see what it does, and what domain (controller) it queries.

    If you only need CRM to work between both forests, I would not use a two-way AD trust but install ADFS in forest B and connect ADFS in forest A to ADFS in forest B.

    If you also need other services I would activatie a two-way FULL trust. That way Forest A users (CRMAppPool) can query Forest B for information.

    As far as I can read now, you have a trust with selective authentication instead of a full trust.

    Here a nice text about ADFS and trusts (old but still valid): imav8n.wordpress.com/.../adfs-with-a-one-way-trust

    Hope this helps you a bit further,

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

Quick Links

Responsible AI policies

As AI tools become more common, we’re introducing a Responsible AI Use…

Neeraj Kumar – Community Spotlight

We are honored to recognize Neeraj Kumar as our Community Spotlight honoree for…

Congratulations to the November Top 10 Community Leaders!

These are the community rock stars!

Leaderboard > 🔒一 Microsoft Dynamics CRM (Archived)

#1
SA-08121319-0 Profile Picture

SA-08121319-0 4

#1
Calum MacFarlane Profile Picture

Calum MacFarlane 4

#3
Alex Fun Wei Jie Profile Picture

Alex Fun Wei Jie 2

Last 30 days Overall leaderboard

Featured topics

Product updates

Dynamics 365 release plans